Strategic Planning for IS Security: Designing Objectives

  • Gurpreet Dhillon
  • Gholamreza Torkzadeh
  • Jerry Chang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10844)


Management of information systems (IS) security in organizations has been hampered by the apparent lack of inclusion of organizational security objectives in the traditional strategic planning process. In order to improve IS security strategic planning, we argue that there should be a renewed emphasis on security planning objectives. In this paper we present two sets of objectives – fundamental and means. We then define an evaluation mechanism for assessing the security posture of a firm. Based on case work in healthcare, we illustrate the usefulness of the security evaluation method for designing enterprise security.


IS security strategic planning Value-focused thinking IS security objectives 


  1. 1.
    Anderson, E.E., Choobineh, J.: Enterprise information security strategy. Comput. Secur. 27(1–2), 22–29 (2008)CrossRefGoogle Scholar
  2. 2.
    Andrews, K.R.: The Concept of Corporate Strategy. Irwin, Homewood (1987)Google Scholar
  3. 3.
    Ansoff, H.I.: Corporate Strategy. Penguin Books, Harmondsworth (1987)Google Scholar
  4. 4.
    Ansoff, H.I.: Strategic Management in a Historical Perspective. Wiley, Chichester (1991)Google Scholar
  5. 5.
    Backhouse, J., Dhillon, G.: Structures of responsibility and security of information systems. Eur. J. Inf. Syst. 5(1), 2–9 (1996)CrossRefGoogle Scholar
  6. 6.
    Baskerville, R.: Designing Information Systems Security. Wiley, New York (1988)Google Scholar
  7. 7.
    Baskerville, R.: Information systems security design methods: implications for information systems development. ACM Comput. Surv. 25(4), 375–414 (1993)CrossRefGoogle Scholar
  8. 8.
    Baskerville, R., Dhillon, G.: Information systems security strategy: a process view. In: Straub, D.W., Goodman, S., Baskerville, R. (eds.) Information Security: Policy, Processes, and Practices. M E Sharpe, Armonk (2008)Google Scholar
  9. 9.
    Baskerville, R., Siponen, M.: An information security meta-policy for emergent organizations. Logistics Inf. Manag. 15(5/6), 337–346 (2002)CrossRefGoogle Scholar
  10. 10.
    Bell, D., Padula, L.: Secure Computer Systems: Unified Exposition and Multics Interpretation. MITRE Corp, Bedford (1976)CrossRefGoogle Scholar
  11. 11.
    Biba, K.J.: Integrity considerations for secure computer systems. The Mitre Corporation (1977)Google Scholar
  12. 12.
    Bishop, M.: Computer Security. Art and Science. Addison-Wesley, Boston (2003)Google Scholar
  13. 13.
    Bostrom, R.P., Heinen, J.S.: MIS problems and failures: a socio-technical perspective. Part I: The causes. MIS Q. 1(1), 17–32 (1977)CrossRefGoogle Scholar
  14. 14.
    Choobinen, J., Dhillon, G., Grimaila, M., Rees, J.: Management of information security: challenges and research directions. Commun. AIS 20, 958–971 (2007)Google Scholar
  15. 15.
    D’Aubeterre, F., Singh, R., Iyer, L.: Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes. Eur. J. Inf. Syst. 17(5), 528–542 (2008)CrossRefGoogle Scholar
  16. 16.
    Dhillon, G.: Managing Information System Security. Macmillan, London (1997)CrossRefGoogle Scholar
  17. 17.
    Dhillon, G.: Information Security Management: Global Challenges in the New Millennium. Idea Group Publishing, Hershey (2001)CrossRefGoogle Scholar
  18. 18.
    Dhillon, G.: Violation of safeguards by trusted personnel and understanding related information security concerns. Comput. Secur. 20(2), 165–172 (2001)CrossRefGoogle Scholar
  19. 19.
    Dhillon, G., Backhouse, J.: Current directions in IS security research: towards socio-organizational perspectives. Inf. Syst. J. 11(2), 127–153 (2001)CrossRefGoogle Scholar
  20. 20.
    Dhillon, G., Torkzadeh, C.: Value focused assessment of information system security in organizations. Inf. Syst. J. 16(3), 293–314 (2006)CrossRefGoogle Scholar
  21. 21.
    Donnellon, A., Gray, B., Bougon, M.G.: Communication, meaning, and organised action. Adm. Sci. Q. 31, 43–55 (1986)CrossRefGoogle Scholar
  22. 22.
    Drevin, L., Kruger, H., Steyn, T.: Value-focused assessment of information communication and technology security awareness in an academic environment. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) SEC 2006. IIFIP, vol. 201, pp. 448–453. Springer, Boston, MA (2006). Scholar
  23. 23.
    Gerber, M., Solms, R.: From risk analysis to security requirements. Comput. Secur. 20(7), 207–214 (2001)CrossRefGoogle Scholar
  24. 24.
    Gregory, R., Keeney, R.L.: Creating policy alternatives using stakeholder values. Manag. Sci. 40, 1035–1048 (1994)CrossRefGoogle Scholar
  25. 25.
    Grover, V., Segars, A.H.: An empirical evaluation of stages of strategic information systems planning: patterns of process design and effectiveness. Inf. Manag. 42(5), 761–779 (2005)CrossRefGoogle Scholar
  26. 26.
    Henderson, J.C., Sifonis, J.G.: The value of strategic IS planning: understanding consistency, validity, and IS markets. MIS Q. 12, 187–200 (1988)CrossRefGoogle Scholar
  27. 27.
    Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009)CrossRefGoogle Scholar
  28. 28.
    Hitchings, J.: The need for a new approach to information security. In: 10th International Conference on Information Security (IFIP Sec 1994), Curacao, NA, 23–27 May (1994)Google Scholar
  29. 29.
    Hoven, J.: Information resources management: stewards of data. Inf. Syst. Manag. 16(1), 88–90 (1999)CrossRefGoogle Scholar
  30. 30.
    Kaplan, R.B., Murdock, L.: Rethinking the corporation: core process redesign. McKinsey Q. 2, 27–43 (1991)Google Scholar
  31. 31.
    Keeney, R.L.: Value-Focused Thinking. Harvard University Press, Cambridge (1992)zbMATHGoogle Scholar
  32. 32.
    Kolkowska, E., Hedström, K., Karlsson, F.: Information security goals in a Swedish hospital. In: Asproth, V. (ed.) Proceedings of IRIS 31 - The 31st Information Systems Research Seminar in Scandinavia, Åre, Sweden (2008)Google Scholar
  33. 33.
    Koontz, H.: The management theory jungle revisited. Acad. Manag. Rev. 5(2), 175–187 (1980)CrossRefGoogle Scholar
  34. 34.
    Kukalis, S.: Determinants of strategic planning systems in large organizations a contingency approach. J. Manag. Stud. 28, 143–160 (1991)CrossRefGoogle Scholar
  35. 35.
    Kumar, N., Stern, L.W., Anderson, J.C.: Conducting interorganizational research using key informants. Acad. Manag. J. 36(6), 1633–1651 (1993)Google Scholar
  36. 36.
    Lederer, A.L., Sethi, V.: Key prescriptions for strategic information systems planning. J. Manag. Inf. Syst. 13, 35–62 (1996)CrossRefGoogle Scholar
  37. 37.
    Merrick, J.R.W., Parnell, G.S., Barnett, J., Garcia, M.: A multiple-objective analysis of stakeholder values to identify watershed improvement needs. Decis. Anal. 2(1), 44–57 (2005)CrossRefGoogle Scholar
  38. 38.
    Mintzberg, H.: Power in and Around Organizations. Prentice-Hall, Englewood Cliffs (1983)Google Scholar
  39. 39.
    Mintzberg, H.: Structures in Fives: Designing Effective Organizations. Prentice-Hall, Englewood Cliffs (1983)Google Scholar
  40. 40.
    Mintzberg, H.: Crafting Strategy. Harvard Business Review, Boston (1987)Google Scholar
  41. 41.
    Mintzberg, H.: Strategy formulation: schools of thought. In: Fredrickson, J.W. (ed.) Perspectives on Strategic Management. Harper Business, New York (1990)Google Scholar
  42. 42.
    Parker, D.B.: Restating the foundation of information security. In: Gable, G.G., Caelli, W.J. (eds.) Eighth IFIP International Symposium on Computer Security, IFIP Sec 1992, Singapore, 27–29 May 1992, pp. 139–151. Elsevier Science Publishers B.V. (North Holland) (1992)Google Scholar
  43. 43.
    Parker, D.B.: Toward a new framework for information security. In: Bosworth, S., Kabay, M.E. (eds.) The Computer Security Handbook. Wiley, New York (2002)Google Scholar
  44. 44.
    Puhakainen, P., Siponen, M.: Improving employee’s compliance through IS security training: an action research study. MIS Q. 34(4), 757–778 (2010)CrossRefGoogle Scholar
  45. 45.
    Quinn, B., Mintzberg, H., James, R.M.: The Strategy Process - Concepts, Contexts and Cases. Prentice-Hall, Englewood Cliffs (1988)Google Scholar
  46. 46.
    Ramanujam, V., Venkatraman, N., Camillus, J.C.: Multi-objective assessment of effectiveness of strategic planning: a discriminant analysis approach. Acad. Manag. J. 29(2), 347–372 (1986)Google Scholar
  47. 47.
    Rees, J., Bandyopadhyay, S., Spafford, E.H.: PFIRES: a policy framework for information Security. Commun. ACM 46(7), 101–106 (2003)CrossRefGoogle Scholar
  48. 48.
    Rindfleisch, T.C.: Privacy, information technology, and health care. Commun. ACM 40(8), 93–100 (1997)CrossRefGoogle Scholar
  49. 49.
    Sammon, D., Finnegan, P.: The ten commandments of data warehousing. ACM SIGMIS Database 31(4), 82–91 (2000)CrossRefGoogle Scholar
  50. 50.
    Segars, A.H., Grover, V.: Profiles of stratgic information systems planning. Inf. Syst. Res. 10(3), 199–232 (1999)CrossRefGoogle Scholar
  51. 51.
    Siponen, M.: Five dimensions of information security awareness. Comput. Soc. 31(2), 24–29 (2001)CrossRefGoogle Scholar
  52. 52.
    Siponen, M., Iivari, J.: Six design theories for IS security policies and guidelines. J. Assoc. Inf. Syst. 7(7), 445–472 (2006)Google Scholar
  53. 53.
    Siponen, M.T.: An analysis of the traditional IS security approaches: implications for research and practice. Eur. J. Inf. Syst. 14(3), 303–315 (2005)CrossRefGoogle Scholar
  54. 54.
    Straub, D.W., Welke, R.J.: Coping with systems risks: security planning models for management decision making. MIS Q. 22(4), 441–469 (1998)CrossRefGoogle Scholar
  55. 55.
    Tan, F.B., Hunter, M.G.: The repertory grid technique: a method for the study of cognition in information systems. MIS Q. 26(1), 39–57 (2002)CrossRefGoogle Scholar
  56. 56.
    Van Bruggen, G.H., Lilien, G.L., Kacker, M.: Informants in organizational marketing research: Why use multiple informants and how to aggregate responses. J. Mark. Res. 39(4), 469–478 (2002)CrossRefGoogle Scholar
  57. 57.
    Von Solms, R., Van de Haar, H., Von Solms, S.H., Caelli, W.J.: A framework for information security evaluation. Inf. Manag. 26(3), 143–153 (1994)CrossRefGoogle Scholar
  58. 58.
    Wilkes, J., Stata, R.: Specifying data availability in multi-device file systems. ACM SIGOPS Operating Syst. Rev. 25(1), 56–59 (1991)CrossRefGoogle Scholar
  59. 59.
    Wing, J.M.: A specifier’s introduction to formal methods. Computer 23(9), 8–24 (1990)CrossRefGoogle Scholar
  60. 60.
    Wing, J.M.: A symbiotic relationship between formal methods and security. In: Proceedings from Workshops on Computer Security, Fault Tolerance, and Software Assurance: From Needs to Solution, CMU-CS-98-188, December 1998Google Scholar
  61. 61.
    Wrapp, H.E.: Good managers don’t make policy decisions. In: Mintzberg, H., Quinn, J.B. (eds.) The strategy process, pp. 32–38. Prentice-Hall, Englewood Cliffs (1991)Google Scholar
  62. 62.
    ZDNet Australia. Security’s pathetic while management’s apathetic: Ernst & Young. ZD Net Australia, Australia (2004)Google Scholar
  63. 63.
    Zuccato, A.: Holistic security management framework applied in electronic commerce. Comput. Secur. 26(3), 256–265 (2007)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Gurpreet Dhillon
    • 1
  • Gholamreza Torkzadeh
    • 2
  • Jerry Chang
    • 2
  1. 1.University of North Carolina at GreensboroGreensboroUSA
  2. 2.University of Nevada Las VegasLas VegasUSA

Personalised recommendations